CVE-2025-67875
CVE-2025-67875 affects ChurchCRM prior to version 6.5.3. An authenticated user with mid-level permissions (Edit Records; Manage Properties and Classifications) can combine an IDOR with Broken Access Control to inject a persistent stored XSS payload into an administrator’s profile. The XSS execute...